Retail Fraud Surges 96% YoY During Labor Day Shopping, Raising Concerns for Upcoming Holiday Shopping Season

CQ Prime threat research finds retailers could lose up to $60,000 an hour without proper API and bot protection

SANTA CLARA, Calif.--()--Cequence, a pioneer in API security and bot management, today released alarming new data revealing a 96% surge in attack traffic targeting retailers during the Labor Day weekend.

Developed by the CQ Prime threat research team, the data is based on real, anonymized traffic and attack data from Cequence’s retail customer base, comprised of Fortune 500 and Global 2000 companies, and sampled from billions of transactions. Cequence’s threat researchers observed significant increases in malicious activity targeting retailers over the holiday weekend.

Key findings include:

  • Retailers Under Siege Labor Day Weekend: The retail vertical saw a 96% surge in attack traffic over Labor Day weekend as compared to last year.
  • Bots Up Their Game for the Holidays: Retailers faced a 79% surge in blocked bot traffic as compared to last year.
  • Cybercriminals Target Retailers with Account Takeovers: Cequence blocked over 26.69 million account takeovers (ATOs) during the Labor Day sales period.
  • Attack Traffic Soars for Major Retailer: During a recent summer sales event, a notable retailer witnessed a blocked bot traffic surge of 435% compared to normal levels. The volume of malicious traffic experienced a staggering 2,724% increase from normal levels, indicating a significant surge in malicious activity during the major sales event.
  • Cybersecurity Gaps Prove Costly for Retailers: Retailers could lose $60,000 every hour without proper bot and API protection, especially during high-traffic periods like holiday weekends.
  • Latest iPhone Drives Spike in API Calls: Since the iPhone 16's launch in early September, Cequence has managed over 6.7 billion API calls for eight of the world’s top telecommunications companies. Notably, 37% of this traffic was malicious.

“During holiday seasons, retailers often face a perfect storm of increased vulnerability,” said William Glazier, Director of Threat Research at Cequence. “Reduced staffing levels, coupled with the surge in online activity driven by sales and promotions, create a prime opportunity for cybercriminals to exploit. Retailers risk significant financial losses due to fraudulent activities without robust bot and API protection.”

To mitigate these threats, Cequence recommends that retail businesses take the following steps:

  • Practice, Practice, Practice: Regularly review policies and procedures, and run practice drills tailored to an organization’s unique risks. Consider perspectives from the company, customers and potential attackers.
  • Know What to Protect: Maintain a detailed and up-to-date inventory of public-facing applications and associated APIs, as many attacks succeed due to overlooked or unknown endpoints.
  • Prioritize Business Goals: Focus on what drives success for the business. If speed is key, optimize performance; if user experience matters, ensure secure and fast user validation using methods like canary headers and known IPs.
  • Leverage Security Systems: Implement multi-factor authentication and monitor systems for unusual activity, especially during peak times.
  • Monitor User Activity: Track login patterns to identify anomalies, such as a user logging in 50 times in an hour from various global IP addresses, which could indicate an account takeover attempt.

“Our research makes it clear that retailers are prime targets for cybercriminals, making immediate action not just important, but imperative,” Glazier said. “While these measures should be a priority year-round, now is the time for retailers to get ahead of threat actors as peak shopping periods quickly approach.”

Additional Resources:

About Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection across all internal, external, and third-party APIs to defend against attacks, targeted abuse, and fraud. The flexible deployment model supports SaaS, on-premises, and hybrid installations, and APIs can be onboarded in less than 15 minutes without requiring any app instrumentation, SDK, or JavaScript integration. Cequence solutions scale to handle the most demanding government, Fortune 500, and Global 500 organizations, securing more than 8 billion daily API interactions and protecting more than 3 billion user accounts. To learn more, visit www.cequence.ai.

Contacts

Katrina Porter
press@cequence.ai